"The hacker group LulzSec on Thursday posted information it took from Sony Entertainment and Sony BMG on its site, called the LulzBoat. The information includes about a million usernames and passwords of customers in the U.S., Netherlands and Belgium and is available for download and posted on the group's site. A release posted on LulzSec's page said the group has more, but can't copy all of the information it stole. The group also said none of the information it took from Sony was encrypted."

Actually, using openBSD instead of CentOS won't improve security much. Security is not just about the OS and middleware. If the application allows SQL injection, you can put all the encryption and fined grained permissions you want, there is still a hole in the application. And if the admin gives the root password on the phone to whoever asks, you have another hole. For a company the size of Sony, the human factor is much more complex to manage than for a single person managing his server. The admin doesn't necessarily care about security. If anything, security holes generate more money for him. There are hundreds of middlemen between him and the shareholders who do care about the security of the company. They have to hire audit teams and lawyers to make contracts that make sure the auditors get penalties in case of security problems and they have to make sure their lawyers do their job well, etc. It's not as easy as "hiring a good admin". They have to implement processes that involve thousands of people, where each one of them is a security risk.